Comments (7)
Personally I go with a separate permission to mean reading generic lists, like :list or :index
from access-granted.
Oops, I just realized it could get even worse though.
I realized it could get even worse though….
I get an exception now because Post.published
is not a method… but what if it was a method, a scope for fetching published posts! That actually is a frequent convention… Post.published.where(title: foo)
.
Then the access_granted would decide that ordinary users could :read, Post
because Post.published would return something other than false or nil. (It would return an ActiveRecord relation).
Maybe I'm just trying to be too clever -- any given permission should always only be used with a class object (as in :create
examples) or only with instance objects (as in your :update
examples).
It makes the :manage
shortcut a bit tricker to use if you are ever adding conditions, since it includes :create
conventionally used with Class as well as the others with instances. Oh well, it's just a shortcut.
and then whatever, I just need to create a new permission :can_read_all_posts
or something that only applies to admin
.
I'm not sure?
from access-granted.
I would not worry about the :manage shortcut, it's basically just something I reused from Cancan for easier management - but in retrospect I am not too fond about it. I'd be okay with getting rid of it
from access-granted.
Yeah, the manage shortcut just made things even more obvious, but even without it, I was hoping I could do:
role :admin, { role: "admin" } do
can :read, Post
end
role :user do
can :read, Post, { published: true }
end
And then ask both:
can? :read, an_individual_post
can? :read, Post
# meaning can they read all posts, generally?
but of course I can't.
Do you have a pattern to recommend when I have a policy like above, but sometimes need to answer "Should I show the button for show unpublished posts
, are they allowed to see them generally?"
from access-granted.
Thanks that's helpful. In this case it's not a permission for "reading lists", but specifically for reading lists including unpublished records. We can easily filter the records already, just:
filtered = records.collect { |r| can? :read, r }
So there are people looking at the list view that can see unpublished records, and others that can't see unpublisehd records. Same list view. We filter the records.
But then we have some UI elements on the list view that only apply to people who can see unpublished records...
but I guess a separate permission is the way to go, maybe
can :list_unpublished, Posts
It's annoying to me, because it is really duplicate information, it really duplicates:
can :read, Posts # with no conditions, unlike other roles that have conditions, published-only
But I guess that's just the way it is, no big deal.
from access-granted.
Thanks for going into detail with the example, really helpful!
Yeah if you have some UI elements that don't relate to specific object of a model then sadly, you most likely need a separate permission to separate them.
I didn't really want to include the AR integration and the ability to filter records because I found those to be messy at the time, but maybe something more generic could work (your example with the published
class method).
In regards to being too clever
another possibility would be to have can
be used like this:
# policy
can :read, Post do |record, user|
if record.is_a?(Class)
user.admin?
else
record.published? || user.admin?
end
end
Then in your UI you could do
if can? :read, Post
around the button to show all posts.
It looks explicit but should handle both cases. Though I am writing that from the top of my head so I am not entirely sure we allow passing blocks like that for non-instance can
method calls. I'll give it a try :)
from access-granted.
I agree no specific AR-integration needs to be provided by access-granted, the API already present is fine and lets us easily filter whatever we want.
Still mulling over these suggestions, thanks! if can? :read, Post
is what I tried first, on the analogy of can? :create, Post
in the docs -- but the issue is that doesn't work when this is my policy:
role :admin, { role: "admin" } do
can :read, Post
end
role :user do
can :read, Post, { published: true }
end
In that case, asking can? :read, Post
results in undefined method 'published' for Post:Class
. Since the {published: true}
check is there for asking can? :read, specific_post_obj
.
from access-granted.
Related Issues (20)
- Permissions with blocks work too persmissive (block is ignored) HOT 4
- Replacement for accessible_by HOT 9
- Can we use with `gem 'role_model'` HOT 5
- Block in role always evaluating true HOT 5
- Caching accesses. HOT 4
- errors with non-logged in users HOT 3
- Error when there is no user logged in HOT 1
- Able to access protected controller actions HOT 2
- permission always uses conditions hash when passed a Class as subject HOT 7
- Higher level roles do not seem to inherit from lower level roles HOT 15
- Support for introspection HOT 11
- Object and Subobject HOT 1
- Feature request: special handling for nil current_user? HOT 16
- README should provide promised "cannot" example. HOT 5
- How to setup access_policy.rb when roles are not part of a user model? HOT 3
- Support for :all HOT 1
- Undefined method with ViewComponents HOT 4
- class inheritance, and class as test subject HOT 4
- Is this project dead? HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from access-granted.